Wondering

[bob8787]

hello everyone,

me and my friend have been trying to access eachothers pc for the fun of it, but have bumped into a couple of problems. I reaserched the net abit and found out that you can gain access to a pc by finding a port using a port scanner and then connect to my friends pc once finding an unsecure port. the problem i have had tho is when i do scan i.e. my pc, i get 2 ports... how do i know if its unsecure or not? and once i know the port how do i connect? i would appreciate as much help as posible and i hope this is not off topic in any way  

[Tazinator]

Well, basically a few questions come up. First and foremost is what operating system is on the machine you are trying to connect to.

Second, what are you trying to accomplish in your connection to that machine. "Unofficial file sharing", remote shell, etc.

Just to clarify a bit, you cant just scan for any old port and bam, take over a machine. haha. If it were that easy everyone would be hacking one anothers machines.

Finding the port to use is the beginning, you still have to find a hole that can be exploited via that port.

[bob8787]

im on nt, my friend is on xp... thing is i scan using Nscan, and then it finds a whole load of ports, as in ftp/http/dcom/smtp and gives a port number as well as diffrent ip's, at that point i get lost and don't know what to do lol so i dono if i actually found the port to use but basicly i am interesteded in just getting into his pc and mess around without doing any seriouse damage

tnks -bob-

[Tazinator]

Well, if he isnt patched up in SP's and hotfixes, you can try running a few things for IIS 5.1 (What XP runs for HTTP and FTP) and some DCOM (RPC) exploits on his box. The DCOM ones are nice if you want to get a remote command shell, the HTTP and FTP ones will basically be good for looking at files on the disk. But again, its all dependant if hes patched up or not. If he is, its going to be harder to find an exploitation on his box, but you can always take a peek at things and see if he set permissions, etc correctly. He may have given people write permissions on his web directory (common mistake for some home users running a web server on thier home machine). Then you could find various ways to upload and execute files on his box to possibly allow you more access (tojan horse).

You can find a lot of examples here:
http://www.packetstormsecurity.org/

Its all about ad-libbing. While he may be patched up to current, an older exploit may work if its modified slightly or used in a different fashion. Thing with windows is a lot of its holes are similar in nature to one another so the trick is finding what works.

[Tazinator]

Oh, and this is a good port scanner made years ago which is simple and self contained. Still works for me.

[bob8787]

lol wait i kinda got lost hehe i don't think he is patched up but from the port list that i get, are all of them exploited how can i tell or test them?
Also lets say i do get the port, what program or with what way will i connect to be ablee to execute the trojan?

scanning his pc for open ports i got maybe 20-30 of them lol

thanks for the help

[Tazinator]

You cant tell if its patched really unless his system is advertising its versioning. Its a trial and error route really.

As far as what ports and what exploits, you have to know what services use what ports.

Such as SMTP = 25
POP3 = 110
Web = 80 / SSL = 443
etc etc etc

Then, based on that you pick what you want to use. Most of the exploits up for download are written in C or Python or something which would require you to have a C compiler or Python interpeter on your machine if your using Windows. Id seriously suggest using a *nix of some sort as its a whole lot easier to modify and run C code.